windows heap overflows - orkspace.net · windows heap overflows introduction this presentation will...

47
Windows Heap Overflows David Litchfield <[email protected]>

Upload: others

Post on 12-Jul-2020

22 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

David Litchfield <[email protected]>

Page 2: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Introduction

This presentation will examine how to exploitheap based buffer overflows on the Windowsplatform. Heap overflows have been welldocumented on *nix platforms, for exampleMatt Connover’s paper – w00w00 on heapoverflows, but they’ve not been welldocumented on Windows, though HalvarFlake’s Third Generation Exploits paper coveredthe key concepts.

Page 3: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Heap based buffers are safe…. ?????

Most developers are aware of the dangers ofstack based buffer overflows but too manystill believe that if a heap based buffer isoverflowed it’s not too much of a problem.

One paper on secure coding suggested that tosolve the problem of stack based overflowswas to move the buffer to the heap!

Page 4: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

What is a heap?

The heap is an area of memory used forstorage of dynamic data. Every process has adefault process heap but a developer cancreate their own private heaps. Space isallocated from the heap and freed whenfinished with.

Page 5: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Heap functions

Page 6: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Heap Design

Each heap starts with a structure. Thisstructure, amongst other data, contains anarray of 128 LIST_ENTRY structures. EachLIST_ENTRY structure contains two pointers– see winnt.h. This array can be found at0x178 bytes into the heap structure – call itthe FreeList array.

Page 7: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Heap Design

When a heap is first created there are twopointers that point to the first free block setin FreeList[0]. Assuming the heap baseaddress is 0x00350000 then first availableblock can be found at 0x00350688.

Page 8: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Heap Design

0x00350178 (FreeList[0].Flink) = 0x00350688 (First Free Block)0x0035017C (FreeList[0].Blink) = 0x00350688 (First Free Block)

0x00350688 (First Free Block) = 0x00350178 (FreeList[0])0x0035068C (First Free Block+4) = 0x00350178 (FreeList[0])

When an allocation occurs these pointers are updated accordingly.As more allocations and frees occur these pointers arecontinually updated and in this fashion allocated blocks aretracked in a doubly linked list.

Page 9: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

So where’s the problem?

When a heap based buffer is overflowed thecontrol information is overwritten so whenthe buffer (allocated block) is freed and itcomes to updating the pointers in theFreeList array there’s going to be an accessviolation.

Page 10: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

So where’s the problem?

Example: See code listing A – heap.c

Page 11: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

So where’s the problem?

Access violation

77F6256F mov dword ptr [ecx],eax

77F62571 mov dword ptr [eax+4],ecx

EAX = 0x42424242

ECX = 0x42424242

If we own both EAX and ECX we have an arbitrary DWORD overwrite. We canoverwrite the data at any 32bit address with a 32bit value of our choosing.

Page 12: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploiting Heap Overflows

Repairing the HeapUnhandled Exception FilterPEB function PointerVectored Exception HandlingThread Environment Block

Page 13: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Repairing the heap

After the overflow the heap is corrupt so you’llneed to repair the heap.

Many of the Windows API calls use the defaultprocess heap and if this is corrupt the exploitwill access violate.

Page 14: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Repairing the heap

Could repair on a per vulnerability/exploit basis.Time consuming and could run intoproblems.

Need a generic way to repair the heap which iseffective for all exploits. Write it once andreuse it.

Page 15: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Repairing the heap

The best method for repairing the heap is toreset the heap making it “appear” as if it is afresh new heap. This will keep other heapdata intact but allow fresh allocations.

Page 16: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Repairing the heap

We reset our overflow heap control structurewith heap.TotalFreeSize and set the flags to0x14 then set heap.FreeLists[0].Flink andheap.FreeLists[0].Blink to the start of thefake control structure.

See code listing B – asm-repair-heap.

Page 17: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Using the Unhandled Exception Filter

The Unhandled Exception Filter method is themost common method used. The UEF is the“last ditch effort” exception handler.

Page 18: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Using the Unhandled Exception Filter

Location varies from OS to OS and SP to SP.Disassemble the SetUnhandledExceptionFilterfunction.

77E7E5A1 mov ecx,dword ptr [esp+4]

77E7E5A5 mov eax,[77ED73B4]

77E7E5AA mov dword ptr ds:[77ED73B4h],ecx

77E7E5B0 ret 4

UEF = 0x77ED73B4

Page 19: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Using the Unhandled Exception Filter

When an unhandled exception occurs thefollowing block of code is executed:

77E93114 mov eax,[77ED73B4]

77E93119 cmp eax,esi

77E9311B je 77E93132

77E9311D push edi ***

77E9311E call eax

Page 20: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Using the Unhandled Exception Filter

Essence of the method is to set our ownUnhandled Exception Filter.

EDI was pushed onto the stack. 0x78 bytespast EDI is a pointer to the end of the buffer– just before the heap management controlstuff.

Page 21: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Using the Unhandled Exception Filter

Set the UEF to an address that points to a

CALL DWORD PTR [EDI + 0x78]

Many can be found in netapi32.dll, user32.dll,rpcrt4.dll for example.

Page 22: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Using the Unhandled Exception Filter

Notes: Other OSes may not use EDI. Windows2000 for example has a pointer at ESI+0x4Cand EBP+0x74.

Using this method you need to know the targetsystem – i.e. what OS and what SP level.

Page 23: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Using the Unhandled Exception Filter

Example: See code listing C – heap-uef.c andcode listing D - exploit-uef.c

Page 24: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Using Vectored Exception Handling

Vectored Exception Handling is new as ofWindows XP.

Unlike traditional frame based exceptionhandling where EXCEPTION_REGISTRATIONstructures are stored on the stackinformation about VEH is stored on the heap.

Page 25: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Using Vectored Exception Handling

A pointer to the first Vectored ExceptionHandler is stored at 0x77FC3210. Points to a_VECTORED_EXCEPTION_NODE.

Page 26: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Using Vectored Exception Handling

struct _VECTORED_EXCEPTION_NODE

{

DWORD m_pNextNode;

DWORD m_pPreviousNode;

PVOID m_pfnVectoredHandler;

}

Page 27: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Using Vectored Exception Handling

Vectored handlers are called before any framebased handlers! Technique involvesoverwriting the pointer to the first_VECTORED_EXCEPTION_NODE @0x77FC3210 with a pointer to a fake VEnode.

Page 28: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Using Vectored Exception Handling

77F7F49E mov esi,dword ptr ds:[77FC3210h]77F7F4A4 jmp 77F7F4B477F7F4A6 lea eax,[ebp-8]77F7F4A9 push eax77F7F4AA call dword ptr [esi+8]77F7F4AD cmp eax,0FFh77F7F4B0 je 77F7F4CC77F7F4B2 mov esi,dword ptr [esi]77F7F4B4 cmp esi,edi77F7F4B6 jne 77F7F4A6

The code behind calling the vectored exception handler.

Page 29: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Using Vectored Exception Handling

Need to find a pointer on the stack to ourbuffer. Assume it can be found at0x0012FF50. This becomes ourm_pfnVectoredHandler making the addressof our pseudo_VECTORED_EXCEPTION_NODE0x0012FF48.

Page 30: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Using Vectored Exception Handling

Remember on the free we get an arbitraryDWORD overwrite:

77F6256F mov dword ptr [ecx],eax

77F62571 mov dword ptr [eax+4],ecx

We set EAX to 0x77FC320C and ECX to0x0012FF48.

Page 31: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Using Vectored Exception Handling

0x77FC320C is moved into 0x0012FF48 then0x0012FF48 is moved into 0x77FC3210 –thus our pointer is set. When an exceptionoccurs 0x0012FF48 (our pseudo VEN) ismoved into ESI and DWORD PTR[ESI+8] iscalled. ESI+8 is a pointer to our buffer.

Page 32: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Using Vectored Exception Handling

Notes: If the location of the stack (and thus thepointer to the buffer) moves this method canbe unreliable.

Example: See code listing E – heap-vector.cand F – exploit-vector.c

Page 33: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: RtlEnterCriticalSection pointer in the PEB

Each process contains a structure known as thePROCESS ENVIRONMENT BLOCK or PEB. ThePEB can be referenced from the ThreadInformation/Environment Block TIB/TEB.FS:[0] points to the TEB.

mov eax, dword ptr fs:[0x30]mov eax, dword ptr fs:[eax+0x18]

Page 34: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: RtlEnterCriticalSection pointer in the PEB

As well as containing other process specificdata the PEB contains some pointers toRtlEnterCriticalSection andRtlLeaveCriticalSection. These pointers arereferenced from RtlAccquirePebLock andRtlReleasePebLock. RtlAccquirePebLock iscalled from ExitProcess for example.

Page 35: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: RtlEnterCriticalSection pointer in the PEB

The location of the PEB is stable acrossWindows NT 4 / 2000 / XP and thus thepointer to RtlEnterCriticalSection can befound at 0x7FFDF020. Whilst the PEB can befound at the same address in Windows 2003the function pointers are no longer presentso this method won’t work with 2003.

Page 36: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: RtlEnterCriticalSection pointer in the PEB

The method simply involves overwriting thepointer to RtlEnterCriticalSection in the PEBwith the address of an instruction that willreturn to the buffer.

Example: See code listing G – heap-peb.c andH – exploit-peb.c

Page 37: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: TEB Exception Handler Pointer

Each Thread Environment Block contains apointer to the first frame based exceptionhandler. The first thread’s TEB has a baseaddress of 0x7FFDE000 and each newthread’s TEB is assigned an address growingtowards 0x00000000. If a thread exits and anew thread is created then it will get theaddress of the previous thread’s TEB.

Page 38: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: TEB Exception Handler Pointer

This can lead to a “messy” TEB table and canmake this method uncertain.

However, if the address of the vulnerablethread’s TEB is stable then this method canbe used quite effectively.

Page 39: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: TEB Exception Handler Pointer

The method involves overwriting the pointer tothe first exception handler in the TEB with anaddress that points to an instruction that willget path of execution back to the buffer.

Page 40: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Getting Creative!

There are other ways to exploit heap basedbuffer overflows to execute arbitrary code todefeat mechanisms such as marking theheap as non-executable.

Page 41: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Getting Creative!

Assume we have a process with the heapmarked as non-executable. This can bedefeated with pointer subversion.

An example of this can be found in the faultreporting functionality of theUnhandledExceptionFilter() function.

Page 42: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Getting Creative!

The fault reporting code callsGetSystemDirectoryW() to which “faultrep.dll”is concatenated. This library is the loadedand the ReportFault() function is called.

Page 43: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Getting Creative!

GetSystemDirectoryW() references a pointer inthe .data section of kernel32.dll that pointsto where the wide character string of theWindows system directory can be found. Thispointer can be found at 0x77ED73BC. Onoverflow we can set this pointer to our ownsystem directory.

Page 44: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Getting Creative!

Thus when GetSystemDirectoryW() is called the“system” directory is a directory owned bythe attacker – this can even be a UNC path.The attacker would create their ownfaultrep.dll which exports a ReportFault()function and so when theUnhandledExceptionFilter() function is calledarbitrary code can be executed.

Page 45: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Exploit: Getting Creative!

Whilst code paths are finite I’d argue that thepossibilities of what can be done is limitedmore by the imagination.

Page 46: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Conclusion

Hopefully this presentation has demonstratedthe dangers of heap based buffer overflowsand that developers not treat them asbenign.

Any questions?

Page 47: Windows Heap Overflows - orkspace.net · Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap

Windows Heap Overflows

Thanks for coming!

Thanks for coming and enjoy the rest of theconference!